Whilst investigating a VMWare reported buffer overflow vulnerability (bug
#426568) in the PAM authentication code in the OpenPegasus CIM management server
that didn't affect Red Hat packages, I found another one that did.
This vulnerability can be exploited remotely and results in arbitrary code
execution with the privileges of the cimserver process. Note that we do ship
with a default SELinux policy for this package.
Current embargo is unset. Likely to be 2nd week of Jan 2008.

This is a problem inside PAMBasicAuthenticator::PAMCallback()
//
// copy the user password
//
resp[i]->resp = (char *)malloc(PAM_MAX_MSG_SIZE);
strcpy(resp[i]->resp, mydata->userPassword);
resp[i]->resp_retcode = 0;
break;
But mydata->userPassword is in this case 2000 characters, and PAM_MAX_MSG_SIZE
is 512 leading to a stack buffer overflow. Exploiting this will be tricky as
ExecShield is in use and we ship a default SELinux targetted policy for this server.

Description for advisory:
During a security audit, a stack buffer overflow flaw was found in the PAM
authentication code in the OpenPegasus CIM management server. An
unauthenticated remote user could trigger this flaw and potentially execute
arbitrary code with root privileges. (CVE-2008-0003)

Mitigation:
The tog-pegasus package is not installed by default on Red Hat Enterprise Linux.
tog-pegasus supplied by Red Hat binds only to one port (as plain http is
disabled), port 5989. The default firewall installed by Red Hat Enterprise
Linux will block remote access to this port. In normal use it's unlikely you'd
want to have this port accessible outside of an intranet anyway, and it's likely
to be blocked by enterprise border firewalls.
However if tog-pegasus has been installed and unblocked through the fireware,
the Red Hat Security Response Team believes that it would still be hard to
remotely exploit this issue to execute arbitrary code due to the default SELinux
targeted policy on Enterprise Linux 4 and 5, and the SELinux memory protections
enabled by default on Enterprise Linux 5.